Showing Posts From

Ai regulatory compliance board

AI Governance for Boards: What to Own and What to Delegate

AI Governance for Boards: What to Own and What to Delegate

There's a pattern I see in boardrooms that have added "AI strategy" to their agenda. An executive presents. The board listens. Someone asks a question that's technically about AI but actually about accountability. The executive answers with something about data governance and responsible use. The board nods. The item is closed. Nothing was actually governed. Boards are being asked to sign off on AI investments they can't fully interrogate, using governance frameworks that were designed for different kinds of risk. The result is a form of governance theater: the structures exist, the sign-offs happen, and the accountability is nowhere. This isn't a criticism of boards specifically. The frameworks genuinely don't fit. Audit committees are built around financial controls and statutory reporting. Risk committees are built around quantifiable risk exposures. AI introduces a risk profile that's different in kind — systems that make decisions at scale, that degrade silently over time, that can produce outcomes nobody explicitly designed, and that concentrate vendor dependencies in ways traditional procurement governance doesn't catch. Getting governance right doesn't require every board member to understand machine learning. It requires the board to own the right things and ask the right questions — and to know the difference between a real answer and a reassuring one. What the board needs to own Board-level AI governance has three genuine responsibilities. Everything else can and should sit with management. The first is the risk appetite. Not a list of approved use cases, but a real position on where the organization's tolerance for AI-driven decisions sits. What decisions can an AI make autonomously? What decisions require a human in the loop? What outcomes, if they occurred, would represent a failure of accountability at board level? These are governance questions, not technology questions. They need a board answer. The second is accountability structure. When an AI system produces a bad outcome — a biased recommendation, a pricing error at scale, a model that degrades and nobody notices for six months — who is accountable? The answer should never be "the model." It should be a named person in a named role with a documented process for how failures get escalated. The board should know what that structure is and should have satisfied itself that it's real, not just written down somewhere. The third is vendor concentration risk. Most enterprise AI programs now run on infrastructure from a small number of large providers. The board needs visibility into those dependencies — not at the technical level, but at the risk level. What happens to business continuity if a vendor relationship breaks? What proprietary data is in the hands of external providers, and under what terms? Everything else — model selection decisions, specific use cases, technical evaluation, operational monitoring — belongs with management and the relevant technical functions. The governance trap The trap boards fall into is trying to govern AI the way they govern everything else: by approving a strategy and reviewing a report. AI doesn't work that way. A strategy document approved eighteen months ago may bear no resemblance to what's actually in production today. Models evolve. Use cases expand beyond their original scope. The risk profile of a system that started as a recommendation tool changes when it starts making operational decisions at volume. Good AI governance requires a living understanding of what the organization is actually running, not just what it approved. That means the board needs reporting that tells it what AI systems are in production, what decisions those systems are making, and whether the performance monitoring is working — not just whether the program is "on track." Most board reporting on AI covers the program status, not the risk status. Those are different documents. 7 questions that matter These aren't technical questions. They're governance questions. A board member should be able to ask them in plain language and expect a plain-language answer. What decisions is AI making on behalf of this organization, and at what volume? Not what AI capabilities we have — what decisions it's actually making. If the answer requires a thirty-minute technical explanation, the governance reporting isn't working. Who is accountable when an AI system produces a wrong or harmful output? There should be a named person, not a process or a committee. What are we monitoring, and what triggers a review or a pause? Every production AI system should have defined performance thresholds. The board should know what those are and who owns the response when they're breached. What data are we using to train and run these systems, and do we have the rights to use it that way? Data licensing and privacy compliance create real legal exposure. This is a board-level question dressed as a technical one. Which external providers have access to proprietary or customer data, and under what terms? Vendor risk is real and underdisclosed in most AI reporting. How would we know if an AI system was producing discriminatory outcomes? The answer should describe a monitoring process, not a policy statement. What would we do if we had to take a system offline? Business continuity for AI systems is frequently underdeveloped. The board should be confident an answer exists. What good reporting looks like Board AI reporting that answers these questions would include: a register of AI systems in production and what decisions they're influencing, a summary of monitoring status and recent performance alerts, an update on data licensing and vendor contract status, and a brief note on any material changes to the risk profile since the last review. What boards typically receive: a slide on the AI strategy roadmap, a progress update against implementation milestones, and a chart showing the projected ROI. Those are different conversations. The strategy and roadmap conversation is important. So is the governance one. Both need time on the agenda, and conflating them is how organizations end up with AI programs that are well-funded and under-governed.

Read full article